Implementing IETF Draft on DNS use in Kerberos

Jeffrey Altman jaltman at
Thu Jul 18 14:19:00 EDT 2002

> > The primary reason for wanting DNS TXT lookups turned on for machines
> > without krb5.conf files is that otherwise there is no method by which
> > the machine can determine which realm it belongs to.
> This issue has me confused.  The IETF wg and others feel that Kerberos
> referrals should be used for realm lookups since DNS TXT realm lookups
> are insecure but in the case of a client without a krb5.conf file
> there doesn't seem to be a way (other than a DNS TXT realm lookup) for
> the client to know it's realm and thus which KDC to contact in order
> to do referrals.  
> Would it be reasonably safe to restrict the client to looking up it's
> local realm via DNS TXT since it would be contacting the local KDC and
> the shared secret key would provide spoofing protection (cross-realm
> lookups would be handled by referral once the local KDC is known)?

It would be safe provided that upon receiving the local Realm info and
using it to retrieve a TGT, that the TGT be used to retrieve a service
ticket to verify against the local machine.  Of course, this can't be
done unless the local machine was configured to be part of the local
realm; AND as such had a service key installed on it.

So in the general case there is no way to verify the lookup of the
local realm.  But given that there is no other way of retrieving the
local ream info many of us do it anyway.  It would be nice if the
realm info could be distributed using DHCP.  

 Jeffrey Altman * Sr.Software Designer     Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP            Secured with MIT Kerberos, SRP, and 
 kermit-support at               OpenSSL.

More information about the krbdev mailing list